Most organizations don’t experience digital intrusions or data breaches that grab international headlines. For every Equifax breach or Colonial Pipeline hack, countless lower-profile intrusions go unremarked.
Yet those lower-profile intrusions are cause for every bit as much concern as the more sensational ones. Perhaps more so if the lack of attention results in intrusions or data releases going unnoticed for days, weeks, months, even years.
Simply keeping your organization out of the headlines isn’t enough. You have an obligation to your stakeholders to do everything in your power to prevent a cyber security incident from occurring in the first place. And because it’s unrealistic to expect that you’ll be able to reduce every possible risk down to zero, you must craft an incident response plan that you can put into action at a moment’s notice. Here’s what those efforts should look like, both before and after an intrusion.
1. Don’t Wait to Hire Digital Investigators
If you have reason to suspect that your organization is the victim of a digital intrusion, don’t wait for proof. Retain a team of digital investigators, drawn either from in-house or third-party expertise, to examine the evidence.
This won’t undo the damage that’s already been done, but it could reduce the ongoing fallout and help with attribution. When the Pandora Papers event affected Asiaciti Trust and several other international fiduciary firms in 2021, several suspected victims retained digital forensics teams to determine what had happened. Those that did so — including Asiaciti Trust and Trident Trust Limited — were able to put the event behind them faster and begin the difficult work of repairing their reputations.
2. Identify Your Key Areas of Vulnerability
With or without help from third-party digital forensics experts, it’s vital that you identify your organization’s key vulnerabilities. Ideally, you’d do this before an intrusion, the better to prevent such an event from occurring in the first place. Afterward, you’ll have no choice.
You won’t simply admire your vulnerabilities, of course. Once identified, they must be addressed. Trident Trust Limited and Asiaciti Trust were able to put the Pandora Papers behind them in part because they used the event as a learning experience — allowing their stakeholders to sleep easier in its wake.
3. Implement Two-Factor Authentication Across Your Organization
This is one measure that doesn’t need to wait for exhaustive vulnerability analysis. If you’re using cloud-based accounts that don’t have two-factor authentication enabled, make it a top priority to do so. Where employees are responsible for implementing their own 2FA protocols, establish controls to hold them accountable. And if your organization relies on applications that don’t offer 2FA protection, migrate to alternatives that do at your earliest convenience.
4. Minimize User Permissions
Use role-based permissions to ensure that your teams don’t have access to more data than necessary. Whatever trust you might gain from your employees through lax access permissions pales in comparison to the pain you’ll experience if that laxity results in an unauthorized data release.
5. Create and Stick to a Strict Software Updating and Patching Schedule
Outdated software is a critical vulnerability for your organization, albeit one you probably don’t think of in strict security terms. The user experience is a far more immediate issue for most organizations, after all.
But both are served by a formal program of scheduled software patching and updating. You shouldn’t be running old applications anyway, certainly not beyond the end of the developer’s support cycle. Standardizing this aspect of your operations downgrades it from a legitimate threat to a temporary annoyance.
Make Yourself Less Vulnerable Than the Next Victim
Defending your organization against cyber threats is all about realism.
You need to be realistic about your risk of sustaining a digital intrusion. It’s higher than you’d like to admit.
You need to be realistic about what a digital intrusion could mean for your business. The consequences are direr than you’d like to admit.
Finally, you need to be realistic about what others are doing to protect yourself. This is where “realism” really pays off.
Your goal should not be to make yourself the most secure organization on the face of the earth. You can’t compete with firms that do cyber security for a living, nor for private and government intelligence entities.
Your goal should, instead, be to make your organization less attractive to malicious cyber actors than other firms in your peer group. If you’re a tougher target than your closest competitor, and you’re both subject to the same risks, which is more likely to sustain a digital intrusion?
Don’t feel too bad for them. If they cared as much about cyber security like you, they’d have taken the plunge already.